Does anyone know if there is a specific limitation or additional scope requirement when attempting to assign custom roles to users in bulk via the User Management API for partner-managed organizations?
We are deploying a standardized role hierarchy across 120+ client organizations using our AppFoundry integration. The workflow involves creating new users via POST /api/v2/users and immediately assigning predefined custom roles using PUT /api/v2/users/{userId}/roles. While user creation succeeds consistently, the subsequent role assignment fails intermittently with a 403 Forbidden error.
The service account used for this integration has the admin scope and is assigned the AppFoundry Admin role within the partner org. We have verified that the service account has been granted Manage Users permissions in the target client orgs. The error occurs specifically when the payload includes multiple custom roles defined in the client’s environment, but not when assigning standard platform roles like Agent or Supervisor.
POST /api/v2/users/{userId}/roles
Status: 403 Forbidden
Message: Access denied. The authenticated user does not have permission to perform this action.
This behavior is inconsistent. Retrying the same request after a 5-second delay occasionally succeeds, which suggests a potential race condition or a propagation delay in the permission cache rather than a hard permission denial. We are using the Node.js SDK v4.3.0 and have implemented exponential backoff logic, but the failure rate remains around 15% for bulk operations.
Has anyone encountered similar issues with role assignment latency in multi-tenant AppFoundry deployments? Are there specific headers or retry strategies recommended for ensuring role assignments are processed correctly immediately after user creation? We need a reliable method to synchronize role assignments without manual intervention in each client org.